SQL INJECTION - detailed overview

The direct injection of SQL commands is a technique where the attacker creates or changes existing SQL commands in order to expose hidden data, obtaining valuable data, or even execute malicious scripts into the attacked server (mostly the attacks by SQL injection are a kind of attack that aim at sites that support relational databases).

In these kinds of sites, the parameters are passed to the database in the form of an SQL request. In this way, if the web developer doesn’t make any control over the parameters that are passed in the SQL request, it is possible that an attacker can change the request with the intention of accessing the web site’s databases, and hypothetically, changing the content.